The kernel parses arguments, gets the address of the syscall handling
routine in t2, and goes to the process which ptraces. On return from
this process, the kernel restores t2 from the user stack and jumps
there. I've got an example that gets root from this.